|
Tunnel Checks with SixXS as Secondary Tunnel Provider
![[us]](/s/countries/us.gif) Shadow Hawkins on Friday, 08 October 2010 05:17:18
If I have a machine with an existing tunnel to Hurricane Electric as my main tunnel and SixXS as a second tunnel that I'd eventually like to migrate to, is there a way to configure my routes to send return traffic from SixXS over that tunnel? I've tried this with routes in the following manner (on OpenBSD 4.7):
route -n add -inet6 default 2001:470:c:aa::1
route -n add -inet6 -net 2001:1938::0 -prefixlen 32 2001:1938:81:16a::1
I can ping my next-hop without the route, but I can't traceroute6 when I specify my source address as my end of the SixXS tunnel. If I try and traceroute6 into SixXS network somewhere (just the 2001:1938::1), I get admin prohibited by the SixXS end of the tunnel:
# traceroute6 -s 2001:1938:81:16a::2 2001:1938::1
traceroute6 to 2001:1938::1 (2001:1938::1) from 2001:1938:81:16a::2, 64 hops max, 12 byte packets
1 cl-363.phx-01.us.sixxs.net 2995.39 ms !A 2998.32 ms !A 2999.9 ms !A
So, does anyone have a dual tunnel configuration? If so, how do you deal with incoming ICMP requests from SixXS? Right now my packet loss on those checks is at 100-percent, but I'm quite certain everything is working on the interfaces. I imagine the return route isn't correct.
Thanks.
Tunnel Checks with SixXS as Secondary Tunnel Provider
Shadow Hawkins on Friday, 08 October 2010 21:40:35
Part of my problem here is that I'm not getting ndp responses. I see this when sending out icmp6 echo requests.
14:38:52.555123 2001:1938:81:16a::2 > ff02::1:ff00:1: icmp6: neighbor sol: who has 2001:1938:81:16a::1
I don't see this exiting my main tunnel gif interface, but see it on the ethernet interface.
Any help is appreciated.
Tunnel Checks with SixXS as Secondary Tunnel Provider
![[gb]](/s/countries/gb.gif) Shadow Hawkins on Sunday, 31 October 2010 13:32:48
You need multiple routing tables for this. I am not sure how it is done with OpenBSD but this is an example of my Linux configuration using iproute2:-
IP=/sbin/ip
$IP -6 route add default via [TUNNEL-A-GW] dev sixxs-TAAAAA table sixxs-TAAAAA
$IP -6 route add default via [TUNNEL-B-GW] dev sixxs-TBBBBB table sixxs-TBBBBB
# Prefer this tunnel
$IP -6 route add default via [TUNNEL-B-GW] dev sixxs-TBBBBB metric 1000 table main
$IP -6 rule add to [PREFIX-A/48] pref 16001 lookup main
$IP -6 rule add to [PREFIX-B/48] pref 16002 lookup main
$IP -6 rule add from [PREFIX-A1/64] pref 16381 lookup sixxs-TAAAAA
$IP -6 rule add from [PREFIX-A/48] pref 16382 lookup sixxs-TAAAAA
$IP -6 rule add from [PREFIX-B1/64] pref 16383 lookup sixxs-TBBBBB
$IP -6 rule add from [PREFIX-B/64] pref 16384 lookup sixxs-TBBBBB
# Summary routes to prevent loops
$IP -6 route add blackhole [PREFIX-A/48] dev lo
$IP -6 route add blackhole [PREFIX-B/48] dev lo
Contents or /etc/iproute2/rt_tables:-
1 sixxs-TAAAAA
2 sixxs-TBBBBB
This has been very useful when one of the pops has had an outage. Unfortunately there has been a couple of occasions when both pops suffered an outage at the same time.
P.S. Still no "Preview" button when posting?!
|
Posting is only allowed when you are